Mobile and Secure.Com

I’ve been wondering about the difference between 2G and 3G mobile phone networks recently, so I started to do a little research. It got a little confusing at first, especially if you add 2.5G, 2.75G, and 4G to the mix.

Anyway, here are my notes. Feel free to comment on them and correct me. They are based on mobile phone networks in Europe.

1G

First generation mobile phone technology using analogue radio signals routed over a circuit switched network.

2G

Second generation mobile phone technology using digital radio signals, such as GSM also over a circuit-switched network (or packet-switched for GPRS, taken from 2.5G).

3G

Third generation mobile phone technology using wide area cell phone networks, using UMTS instead of GSM, following the IMT-2000 standard.

4G

Fourth generation mobile phone technology. Several standards currently in development are competing with each other for the 4G crown.

I’ve been happily using 4GB USB 2.0 flash drives for a while now, transferring data between machines at various locations, and using them as temporary backup devices. For some reason I’d come to the conclusion that 4GB was going to be it for these small memory sticks, and that if you needed more than 4GB you would have to invest in an external hard drive.

How wrong was I? Integral have announced their 32GB flash drive. 32GBs! That’s more than my 4-year old laptop has as a hard drive. I could backup my whole laptop onto something the size of a key fob! There’s even talk about 64GB flash drives becoming available shortly.

Having the ability to carry so much data around with you may be convenient, but from a security point of view it also means that there’s even more of your data at risk of being stolen. Or these devices could be employed to do the actual stealing. The complete contents of a target computer’s hard drive could be copied onto a device that fits into the palm of your hand.

Several companies are already updating their security policies to state that flash drives are not allowed on the premises. It’s one thing to say they are not allowed, it’s another to police it. As the world goes USB mad, it’s possible to purchase USB flash drives in a variety of form factors. So instead of having to look for the obvious ‘pen drive’ form factor, you have to wonder if that fuzzy bee keychain on that girls handbag is what it appears to be, or a USB flash device in disguise.

Somebody even figured out that the width of a USB connector is smaller than the diameter of an AA battery, so they built a battery that can recharge from a USB port. How long before someone builds a USB flash drive that looks like a battery? You could sneak it into places disguised as a battery in a portable radio.

It didn’t take long for tech companies to catch on to the growing market need for ways to secure data held on employee laptops. I’ve read various hardware and software solutions, the latest being the OmniAccess 3500 Nonstop Laptop Guardian from Alcatel-Lucent.

Most of the solutions I’ve read about so far rely on the laptop thief booting the laptop in the state that it was stolen. In other words, powering up the laptop and trying to log on to the internet. This assumes that the thief is not a data thief, as data thieves just remove the hard drives from laptops so that no custom hardware is activated that may destroy the data, or no security software is executed that could delete/corrupt the data. A data thief will slave the stolen hard drive to his own machine (or more likely, image the drive and work on the image).

The OmniAccess 3500 acts as an encryption/decryption key for the data and without it, the data cannot be decoded. It also allows remote control, GPS tracking, and remote data erasure calls.

In theory it sounds like a step in the right direction. However, separating the PCMIA card from the laptop prevents the card from destroying any data on the laptop hard drive (assuming there is one and that the PCMIA embedded OS is not running like U3 and using the laptop hardware as a dumb terminal). You may not be able to decrypt the data, but you still have a copy while you wait for someone to reverse engineer the encryption algorithm.

The movements of a group of pupils attending a UK secondary school are being tracked via RFID in a current trial. The RFID tags allow the school’s computer system to determine whether the pupils are in the right classroom, in areas that they should not be, or not on school grounds during school hours.

While the wearing of the tags during the trial is voluntary, campaigners are already raising a commotion about human rights. What they are failing to realise is that the average child is more clued up on technology than the average adult. It’s not rocket science to figure out that if this technology becomes adopted by the nations schools, that the kids will figure ways around it, or to use it for their own benefit. Instead of getting your mates to say you were in a particular class, you give them your tag or the item of clothing that it’s attached to, and they take it into class so that the computer system will say that you were there.

I’m often asked what security software I use on my Windows XP laptop so I‘ve compiled a quick list below. Everything I use is free.

Software Firewall

The first step in securing your laptop is to install a decent software firewall. If you are connecting to various networks, wired or wireless, it’s not a good idea to just hope that the network you are connecting to is secure, you need to protect your laptop and your data.

Windows XP SP2 comes with its own software Firewall, and although I have used it when nothing else is available, I do not use it on my own laptop. I prefer a software firewall that offers more control, blocks everything from the start, and learns what software I wish to allow access to the internet, either temporarily, or always.

I previously used ZoneAlarm, but over time it became bloatware and developed an annoying feature - if you were idle for some time, it would block all internet traffic. The only way to access the internet again was to disable ZoneAlarm or to reboot your computer.

After trying out several alternative software firewalls, I came across Comodo Firewall Pro and I‘ve stuck with it ever since.

Anti-Virus

After your software firewall is up and running, next you need a good anti-virus solution. I use AVG Free Edition from Grisoft. I have it updating daily (manually) so that I always have the latest definitions loaded.

Anti-malware

Next you need a good anti-malware solution. Something that will remove spyware, ad-aware, browser hijackers, web diallers, and other types of malicious software that is not necessarily detected by your anti-virus solution.

I use Spybot Search and Destroy as my anti-spyware tool of choice. I search for updates, immunise, and run a complete system scan once a week.

Web browser 

For surfing I use the Firefox browser with the NoScript plug-in. This allows you to control what scripts run on any web site you visit. For instance you can allow scripts that run a feature of a web site you want to access, but block scripts that server you adverts.

I came across this article on the BBC website about using Wi-Fi and RFID to track people. The manufacturers of the technology say that it’s a great way to track assets or people within a controlled location, say a campus or a building, like say a hospital.

A hospital? Yes, apparently they recommend the use of this tracking technology in hospitals, a place where you are requested to turn your mobile phone off as soon as you walk in the door.

So while the government takes another look at the impacts of wireless networks on health, others are aiming to install wireless networks in hospitals.

The BBC recently reported that a UK company has created a biometric gadget to prevent car theft. The video shows a small fingerprint pad near the steering wheel which is used to start the car.

I have this love hate relationship with technology and cars. I was in a 3 year old Ford recently that was happily moving along at about 50mph, when it suddenly seemed to lose all power and I had to pull over. It turned out that a particular sensor had stopped working and the cars CPU interpreted this as serious fault and therefore as per its programming, limited the speed to 18mph.

My folks MPV recently developed a fault which could have been fatal while they were driving in the fast lane of a motorway. The MPVs ECU developed a fault and turned off the engine completely. Luckily the rest of the car electronics kept on working and they were able to move across all lanes of the motorway and come to a complete stop safely on the hard shoulder.

Although I love technology, I do think there is a time and place for it, and unless it’s an assisted system, such as antilock brakes, or in-car entertainment, I don’t think it should be in my car. When it comes to cars I like my classics. No chips, no fancy ECU or any other technological enhancement is present in my daily drive. When it comes to security I can rely on the old mechanical methods, such as removing the rotor arm, fitting a hidden fuel cut-off switch, or fitting a big-ass steering wheel lock. It might be a minor hassle enabling my security devices, but at least I know that as I’m driving down the motorway, that a chip in my car isn’t going to suddenly decide that it needs to reboot.

I remember watching Tom Cruise’s ’War of the Worlds’ where at the start of the film, the EMP had killed all the cars that were on the roads. I thought as I watched that scene that that wouldn‘t happen to my car, apart from my it-works-if-you-don’t-go-over-a-bump radio, nothing in my car has a chip in it.

Time will tell if biometric readers in cars are a good idea. Me, I’m sticking to my chip-free classic.

The subject of RFID keeps coming up in conversations I’ve been having lately. So rather than pleading ignorance, I decided to read up on RFID and share my notes here.

RFID (Radio Frequency IDentification) is a technology that allows the automatic identification of an object by the use of an embedded transponder device, usually a small (inexpensive) tag. The RFID tag is attached to an object, and comes in two parts, an integrated Circuit (IC) identified by an EPC and an antenna. The IC stores the information that the tag contains, the antenna receives and transmits data.

There are 3 types of RFID tag:

Passive tags have no internal power source. They are powered by the electrical current generated by the antenna from the incoming signal. They generally have a short broadcast range of a few feet.

Semi-passive tags have a small battery to power the IC. The antenna generates its own power to broadcast from the incoming signal without using the internal battery. Its broadcast range is generally the same as passive tags.

Active tags have an internal battery that powers the IC and is also used to broadcast the signal. These RFID tags have the greatest broadcast range of up to 300 feet and the battery can last up to 10 years. Some also have read/write memory so they can store received data.

RFID tags can be found in passports, chipped pets, car keys, credit cards, identity cards, travel cards, access cards, expensive products, shipping containers, human implants (rare), library books, and many more places where someone has a vested interest in tracking or identifying an item of value.

Security concerns: There are always privacy concerns where any new technology can be utilised to track an individual. Retailers that embed RFID tags in clothing for the purposes of reducing theft and stock taking do not necessarily remove the tag once the item has been sold. You could in theory have your movements tracked or allow others to know where you shop if your possessions retain RFID tags.

Whenever a new technology is capable of processing and storing useful data, someone will find a way to use that data in a way that you may not approve of.

It has already been reported that it is possible to infect an RFID IC with a virus. It is also possible to track RFID tag movement within an area (M-RFID). Your movements could be tracked and plotted on a map.

What can you do about RFID tags? Well you could get yourself a reader (or phone) and scan yourself and your possessions for any RFID tags. You could also buy (or make) an RFID Zapper which will render the RFID tag useless and unable to transmit without damaging the item to which it is attached. Others mention breaking the RFID tag by physically separating the aerial from the IC. RFIDs in passports, payment cards, or access cards can be shielded using special wallets.

Some RFID tags use encryption, but this has been proven to be pretty weak and easy to crack.

I went to see a film at the local cinema with a friend recently, and as we were exiting the cinema screen his mobile started beeping. It was being bombarded with Bluetooth messages. Upon inspecting the messages he found that all of them were adverts.

Now while my mate was mad at this electronic intrusion, and at himself for leaving Bluetooth enabled on his phone, I was a little curious about this ‘service’.

Now I haven’t used Bluetooth since it first came to my attention way back when I was working for a telecommunications company some years ago. I’d played with Bluetooth back then on a SonyEricsson P800, but these days most mobile handsets probably come with Bluetooth. So with so many people carrying Bluetooth enabled mobile phones, PDAs, and laptops, direct marketing to these devices must be pretty appealing to some.

This Bluespam, Proximity Marketing, or Bluecasting as it’s sometimes known, is proving popular enough that several companies have developed small servers running custom applications that can be set up in public places, and can transmit Bluetooth delivered spam to any Bluetooth enabled device (set to discoverable) within 100m/300ft (class 1) of the server.

Not only can these servers send out text messages, but also images, audio, video, and Java applications. The latter is probably meant to deliver games but there is no reason why other java applications could not be transmitted from these anonymous servers as you walk past (within 10m as mobile phone Bluetooth aerials are only class 2).

Reading further, I also learned that these servers can keep records of any devices they detected and transmitted to, along with the date and time. This is designed to allow them to deliver different content every time the same device is detected. Thinking about it, it’s also a great way of tracking a device’s movements if you have a number of these servers over a wide area, such as say, in a city, and they are networked. In theory you would be able to track the movements of the device within the network while targeting it with specific adverts.

More and more companies are employing software designed to take backups and install patches on employee desktop computers after they have left for the day. The employees are told to leave their computers on each night, although logging off is optional, as is leaving your monitor switched on, so the cleaner can gaze in awe at your ever-changing screensaver.

While this may seem like a great way to backup data and apply approved patches on mass, I can’t help wondering how much testing went into the development of these network based backup programs. What if my PC is running important software and I’ve left it on overnight so it can finish? I don’t want to find that it rebooted after a forced patch while I was not at my desk. And who dictates what gets backed up on an employees PC? Important document folders, emails, or just activity tracking logs?

Apart from making your company carbon footprint even bigger, from a security point of view, leaving all those computers on overnight connected to the company intranet increases the chances of your company network having a security weakness, or becoming infected with malware.